xss attack vector - Githubissues

anasera3 / dompdf

Automatically exported from code.google.com/p/dompdf

0 stars 0 forks source link

xss attack vector #521

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago


There is a flaw in the script which provides a potential xss attack vector.

Please contact me directly for an explanation.

Original issue reported on code.google.com by chris.ha...@sa.gov.au on 24 Jul 2012 at 2:58

GoogleCodeExporter commented 9 years ago

Is this the same vulnerability identified in issue 177?

Original comment by eclecticgeek on 24 Jul 2012 at 6:09

GoogleCodeExporter commented 9 years ago

No this is a separate issue. I have responded via email with more details about 
the potential hack

Original comment by chris.ha...@sa.gov.au on 26 Jul 2012 at 12:16

GoogleCodeExporter commented 9 years ago

Original comment by eclecticgeek on 27 Jul 2012 at 1:19

Changed state: Accepted
Added labels: Milestone-Release0.6, Priority-Critical
Removed labels: Priority-Medium

GoogleCodeExporter commented 9 years ago

Can anyone provide details for this exploit? The benefits of open source 
include finding all the holes so they may be patched...

Original comment by msenatea...@gmail.com on 19 Nov 2012 at 9:16

GoogleCodeExporter commented 9 years ago

We will update this issue with details on the exploit once we correct the 
problem. The issue lies in the support scripts (namely the included web 
content). You can avoid the problem by placing dompdf in a directory not 
accessible via the web.

Please note that the issue is not as serious as the previously-disclosed remote 
file inclusion exploit.

Original comment by eclecticgeek on 20 Nov 2012 at 2:39

GoogleCodeExporter commented 9 years ago

Original comment by eclecticgeek on 24 May 2013 at 3:00

Added labels: Restrict-AddIssueComment-Commit